Scripts & terminals not starting when using runas account that is not local admin on the server

Product: PowerShell Universal
Version: 3.5.4

installed as windows service and running as local system.
Problem does not occur when I make the runas account local admin
If I want to run a script with a runas account and that account is not local admin (but has logon as batch rights) it fails to start with the error : Error executing job: Did not receive port from client process.

When I launch a terminal with the same account, it times out and the log mentions the following error:

2022-12-20 18:02:47.449 +01:00 [ERR] Connection id “0HMN2L72RQGNT”, Request id “0HMN2L72RQGNT:000003DD”: An unhandled exception was thrown by the application.
System.Exception: Failed to connect to terminal. Timed out.
at PowerShellUniversal.Services.Terminals.TerminalManager.Start(Terminal terminal, Identity identity) in C:\actions-runner_work\universal\universal\src\Universal.Server\Services\TerminalManager.cs:line 78
at UniversalAutomation.TerminalController.NewInstance(Terminal terminal) in C:\actions-runner_work\universal\universal\src\Universal.Server\Controllers\TerminalController.cs:line 194
at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.TaskOfIActionResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object arguments)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.g__Awaited|12_0(ControllerActionInvoker invoker, ValueTask1 actionResultValueTask) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeNextActionFilterAsync>g__Awaited|10_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeInnerFilterAsync() --- End of stack trace from previous location --- at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeNextResourceFilter>g__Awaited|25_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted) at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Rethrow(ResourceExecutedContextSealed context) at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted) at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.InvokeFilterPipelineAsync() --- End of stack trace from previous location --- at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope) at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope) at Microsoft.AspNetCore.Routing.EndpointMiddleware.<Invoke>g__AwaitRequestTask|6_0(Endpoint endpoint, Task requestTask, ILogger logger) at Microsoft.AspNetCore.Authorization.Policy.AuthorizationMiddlewareResultHandler.HandleAsync(RequestDelegate next, HttpContext context, AuthorizationPolicy policy, PolicyAuthorizationResult authorizeResult) at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context) at PowerShellUniversal.FeatureMiddleware.InvokeAsync(HttpContext context, RequestDelegate next) in C:\actions-runner\_work\universal\universal\src\Universal.Server\Middleware\FeatureMiddleware.cs:line 43 at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.<>c__DisplayClass6_1.<<UseMiddlewareInterface>b__1>d.MoveNext() --- End of stack trace from previous location --- at PowerShellUniversal.DisallowedModeMiddleware.InvokeAsync(HttpContext context, RequestDelegate next) in C:\actions-runner\_work\universal\universal\src\Universal.Server\Middleware\ModeMiddleware.cs:line 47 at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.<>c__DisplayClass6_1.<<UseMiddlewareInterface>b__1>d.MoveNext() --- End of stack trace from previous location --- at Universal.Server.Middleware.RoutingMiddleware.Invoke(HttpContext httpContext, IPolicyEvaluator policyEvaluator) in C:\actions-runner\_work\universal\universal\src\Universal.Server\Middleware\RoutingMiddleware.cs:line 172 at Swashbuckle.AspNetCore.SwaggerUI.SwaggerUIMiddleware.Invoke(HttpContext httpContext) at Swashbuckle.AspNetCore.Swagger.SwaggerMiddleware.Invoke(HttpContext httpContext, ISwaggerProvider swaggerProvider) at Universal.Server.Middleware.SwaggerAuthenticationMiddleware.InvokeAsync(HttpContext context, RequestDelegate next) in C:\actions-runner\_work\universal\universal\src\Universal.Server\Middleware\SwaggerAuthMiddleware.cs:line 42 at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.<>c__DisplayClass6_1.<<UseMiddlewareInterface>b__1>d.MoveNext() --- End of stack trace from previous location --- at AspNetCoreRateLimit.RateLimitMiddleware1.Invoke(HttpContext context) in C:\actions-runner_work\universal\universal\src\AspNetCoreRateLimit\Middleware\RateLimitMiddleware.cs:line 109
at Microsoft.AspNetCore.Session.SessionMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Session.SessionMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Diagnostics.StatusCodePagesMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.ResponseCompression.ResponseCompressionMiddleware.InvokeCore(HttpContext context)
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)

This should have been resolved in 3.6.x. If you’re in a position to upgrade, I would suggest giving that a shot.

thanks for the answer but an upgrade to 3.6.2 did not solve the issue.
l also increased the job handshake timeout to 90 seconds (was already on 30) but that did not help either.

A couple other things you can try:

1 - Try disabling the load of profiles.

2 - Verify that the target account has read access to the repository and program files directories.

  • C:\ProgramData\UniversalAutomation\Repository
  • C:\Program Files (x86)\Universal

3 - Enable Job Debugging in appsettings.json

This will output files in the temp directory for that user that include STDOUT in the event that the service cannot collect them from the agent.

  "UniversalAutomation": {
    "Queues": [],
    "JobHandshakeTimeout": 5,
    "JobDebugging": true,
    "ContinueJobOnServerStop": false
  },

4 - Change the log level to Debug.

It will start capturing STDOUT and STDERR (if it has permissions) from any processes and write it to the log file.

5 - Capture a procmon trace while trying to start a job and terminal.

I’m happy to review this to see if I see anything of note.

I have not been able to test this further as I worked around this by using the $Secret: scope inside my script to trigger the action that needed the credentials.
When I have some time I will troubleshoot further